File ImageMagick-CVE-2017-16669,17682.patch of Package ImageMagick.9293
+++ a/coders/wpg.c
Index: ImageMagick-6.8.8-1/coders/wpg.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/wpg.c 2017-11-23 14:08:13.828650667 +0100
+++ ImageMagick-6.8.8-1/coders/wpg.c 2017-11-24 11:15:52.766165166 +0100
@@ -264,7 +264,8 @@ static void Rd_WP_DWORD(Image *image,siz
return;
}
-static void InsertRow(unsigned char *p,ssize_t y,Image *image, int bpp)
+static MagickBooleanType InsertRow(unsigned char *p,ssize_t y,Image *image,
+ int bpp)
{
ExceptionInfo
*exception;
@@ -285,14 +286,14 @@ static void InsertRow(unsigned char *p,s
*indexes;
exception=(&image->exception);
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+ if (q == (PixelPacket *) NULL)
+ return(MagickFalse);
+ indexes=GetAuthenticIndexQueue(image);
switch (bpp)
{
case 1: /* Convert bitmap scanline. */
{
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=GetAuthenticIndexQueue(image);
for (x=0; x < ((ssize_t) image->columns-7); x+=8)
{
for (bit=0; bit < 8; bit++)
@@ -315,16 +316,13 @@ static void InsertRow(unsigned char *p,s
}
p++;
}
- if (!SyncAuthenticPixels(image,exception))
- break;
break;
}
case 2: /* Convert PseudoColor scanline. */
{
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=GetAuthenticIndexQueue(image);
+ if ((image->storage_class != PseudoClass) ||
+ (indexes == (IndexPacket *) NULL))
+ return MagickFalse;
for (x=0; x < ((ssize_t) image->columns-3); x+=4)
{
index=ConstrainColormapIndex(image,(*p >> 6) & 0x3);
@@ -342,8 +340,8 @@ static void InsertRow(unsigned char *p,s
index=ConstrainColormapIndex(image,(*p) & 0x3);
SetPixelIndex(indexes+x+1,index);
SetPixelRGBO(q,image->colormap+(ssize_t) index);
- p++;
q++;
+ p++;
}
if ((image->columns % 4) != 0)
{
@@ -367,17 +365,11 @@ static void InsertRow(unsigned char *p,s
}
p++;
}
- if (SyncAuthenticPixels(image,exception) == MagickFalse)
- break;
break;
}
case 4: /* Convert PseudoColor scanline. */
{
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=GetAuthenticIndexQueue(image);
for (x=0; x < ((ssize_t) image->columns-1); x+=2)
{
index=ConstrainColormapIndex(image,(*p >> 4) & 0x0f);
@@ -398,16 +390,10 @@ static void InsertRow(unsigned char *p,s
p++;
q++;
}
- if (SyncAuthenticPixels(image,exception) == MagickFalse)
- break;
break;
}
case 8: /* Convert PseudoColor scanline. */
{
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL) break;
- indexes=GetAuthenticIndexQueue(image);
-
for (x=0; x < (ssize_t) image->columns; x++)
{
index=ConstrainColormapIndex(image,*p);
@@ -416,15 +402,10 @@ static void InsertRow(unsigned char *p,s
p++;
q++;
}
- if (SyncAuthenticPixels(image,exception) == MagickFalse)
- break;
}
break;
case 24: /* Convert DirectColor scanline. */
- q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
- if (q == (PixelPacket *) NULL)
- break;
for (x=0; x < (ssize_t) image->columns; x++)
{
SetPixelRed(q,ScaleCharToQuantum(*p++));
@@ -432,10 +413,11 @@ static void InsertRow(unsigned char *p,s
SetPixelBlue(q,ScaleCharToQuantum(*p++));
q++;
}
- if (!SyncAuthenticPixels(image,exception))
- break;
break;
}
+ if (!SyncAuthenticPixels(image,exception))
+ return(MagickFalse);
+ return(MagickTrue);
}
@@ -446,10 +428,10 @@ static void InsertRow(unsigned char *p,s
x++; \
if((ssize_t) x>=ldblk) \
{ \
- InsertRow(BImgBuff,(ssize_t) y,image,bpp); \
+ if (InsertRow(BImgBuff,(ssize_t) y,image,bpp) != MagickFalse) \
+ y++; \
x=0; \
- y++; \
- } \
+ } \
}
/* WPG1 raster reader. */
static int UnpackWPGRaster(Image *image,int bpp)
@@ -476,15 +458,14 @@ static int UnpackWPGRaster(Image *image,
if(BImgBuff==NULL) return(-2);
while(y<(ssize_t) image->rows)
- {
- i = ReadBlobByte(image);
- if(i==EOF)
- {
- RelinquishMagickMemory(BImgBuff);
- return(-5);
- }
- bbuf = i;
+ {
+ int
+ c;
+ c=ReadBlobByte(image);
+ if (c == EOF)
+ break;
+ bbuf=(unsigned char) c;
RunCount=bbuf & 0x7F;
if(bbuf & 0x80)
{
@@ -494,7 +475,10 @@ static int UnpackWPGRaster(Image *image,
for(i=0;i<(int) RunCount;i++) InsertByte(bbuf);
}
else { /* read next byte as RunCount; repeat 0xFF runcount* */
- RunCount=ReadBlobByte(image);
+ c=ReadBlobByte(image);
+ if (c < 0)
+ break;
+ RunCount=(unsigned char) c;
for(i=0;i<(int) RunCount;i++) InsertByte(0xFF);
}
}
@@ -508,7 +492,10 @@ static int UnpackWPGRaster(Image *image,
}
}
else { /* repeat previous line runcount* */
- RunCount=ReadBlobByte(image);
+ c=ReadBlobByte(image);
+ if (c < 0)
+ break;
+ RunCount=(unsigned char) c;
if(x) { /* attempt to duplicate row from x position: */
/* I do not know what to do here */
BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
@@ -524,13 +511,19 @@ static int UnpackWPGRaster(Image *image,
BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
return(-4);
}
- InsertRow(BImgBuff,y-1,image,bpp);
+ if (InsertRow(BImgBuff,y-1,image,bpp) == MagickFalse)
+ {
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
+ return(-5);
+ }
}
}
}
+ if (EOFBlob(image) != MagickFalse)
+ break;
}
BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
- return(0);
+ return(y < (ssize_t) image->rows ? -5 : 0);
}
@@ -546,34 +539,34 @@ RestoreMSCWarning \
x++; \
if((ssize_t) x >= ldblk) \
{ \
- InsertRow(BImgBuff,(ssize_t) y,image,bpp); \
+ if (InsertRow(BImgBuff,(ssize_t) y,image,bpp) != MagickFalse) \
+ y++; \
x=0; \
- y++; \
- } \
+ } \
}
/* WPG2 raster reader. */
static int UnpackWPG2Raster(Image *image,int bpp)
{
+ int XorMe = 0;
+
+ int
+ RunCount;
+
size_t
x,
y;
ssize_t
+ i,
ldblk;
- int XorMe = 0;
-
unsigned int
SampleSize=1;
unsigned char
bbuf,
*BImgBuff,
- RunCount,
- SampleBuffer[8];
-
- unsigned int
- i;
+ SampleBuffer[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
x=0;
y=0;
@@ -592,9 +585,15 @@ static int UnpackWPG2Raster(Image *image
case 0x7D:
SampleSize=ReadBlobByte(image); /* DSZ */
if(SampleSize>8)
- return(-2);
+ {
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
+ return(-2);
+ }
if(SampleSize<1)
- return(-2);
+ {
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
+ return(-2);
+ }
break;
case 0x7E:
(void) FormatLocaleFile(stderr,
@@ -603,6 +602,8 @@ static int UnpackWPG2Raster(Image *image
break;
case 0x7F:
RunCount=ReadBlobByte(image); /* BLK */
+ if (RunCount < 0)
+ break;
for(i=0; i < SampleSize*(RunCount+1); i++)
{
InsertByte6(0);
@@ -610,31 +611,37 @@ static int UnpackWPG2Raster(Image *image
break;
case 0xFD:
RunCount=ReadBlobByte(image); /* EXT */
+ if (RunCount < 0)
+ break;
for(i=0; i<= RunCount;i++)
for(bbuf=0; bbuf < SampleSize; bbuf++)
InsertByte6(SampleBuffer[bbuf]);
break;
case 0xFE:
RunCount=ReadBlobByte(image); /* RST */
+ if (RunCount < 0)
+ break;
if(x!=0)
{
(void) FormatLocaleFile(stderr,
"\nUnsupported WPG2 unaligned token RST x=%.20g, please report!\n"
,(double) x);
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
return(-3);
}
{
/* duplicate the previous row RunCount x */
for(i=0;i<=RunCount;i++)
{
- InsertRow(BImgBuff,(ssize_t) (image->rows >= y ? y : image->rows-1),
- image,bpp);
- y++;
+ if (InsertRow(BImgBuff,(ssize_t) (image->rows > y ? y : image->rows-1),image,bpp) != MagickFalse)
+ y++;
}
}
break;
case 0xFF:
RunCount=ReadBlobByte(image); /* WHT */
+ if (RunCount < 0)
+ break;
for (i=0; i < SampleSize*(RunCount+1); i++)
{
InsertByte6(0xFF);
@@ -659,6 +666,8 @@ static int UnpackWPG2Raster(Image *image
}
}
}
+ if (EOFBlob(image) != MagickFalse)
+ break;
}
BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
return(0);
@@ -680,13 +689,13 @@ unsigned Flags;
(*CTM)[2][2]=1;
Flags=ReadBlobLSBShort(image);
- if(Flags & LCK) x=ReadBlobLSBLong(image); /*Edit lock*/
+ if(Flags & LCK) (void) ReadBlobLSBLong(image); /*Edit lock*/
if(Flags & OID)
{
if(Precision==0)
- {x=ReadBlobLSBShort(image);} /*ObjectID*/
+ {(void) ReadBlobLSBShort(image);} /*ObjectID*/
else
- {x=ReadBlobLSBLong(image);} /*ObjectID (Double precision)*/
+ {(void) ReadBlobLSBLong(image);} /*ObjectID (Double precision)*/
}
if(Flags & ROT)
{
@@ -740,6 +749,9 @@ static Image *ExtractPostscript(Image *i
FILE
*ps_file;
+ int
+ c;
+
ImageInfo
*clone_info;
@@ -756,7 +768,7 @@ static Image *ExtractPostscript(Image *i
clone_info->length=0;
/* Obtain temporary file */
- AcquireUniqueFilename(postscript_file);
+ (void) AcquireUniqueFilename(postscript_file);
ps_file=fopen_utf8(postscript_file,"wb");
if (ps_file == (FILE *) NULL)
goto FINISH;
@@ -766,10 +778,13 @@ static Image *ExtractPostscript(Image *i
(void) ReadBlob(image, 2*MaxTextExtent, magick);
(void) SeekBlob(image,PS_Offset,SEEK_SET);
- while(PS_Size-- > 0)
- {
- (void) fputc(ReadBlobByte(image),ps_file);
- }
+ while (PS_Size-- > 0)
+ {
+ c=ReadBlobByte(image);
+ if (c == EOF)
+ break;
+ (void) fputc(c,ps_file);
+ }
(void) fclose(ps_file);
/* Detect file format - Check magic.mgk configuration file. */
@@ -793,9 +808,9 @@ static Image *ExtractPostscript(Image *i
Replace current image with new image while copying base image
attributes.
*/
- (void) CopyMagickMemory(image2->filename,image->filename,MaxTextExtent);
- (void) CopyMagickMemory(image2->magick_filename,image->magick_filename,MaxTextExtent);
- (void) CopyMagickMemory(image2->magick,image->magick,MaxTextExtent);
+ (void) CopyMagickString(image2->filename,image->filename,MaxTextExtent);
+ (void) CopyMagickString(image2->magick_filename,image->magick_filename,MaxTextExtent);
+ (void) CopyMagickString(image2->magick,image->magick,MaxTextExtent);
image2->depth=image->depth;
DestroyBlob(image2);
image2->blob=ReferenceBlob(image->blob);
@@ -881,7 +896,7 @@ static Image *ReadWPGImage(const ImageIn
typedef struct
{
unsigned int Width;
- unsigned int Heigth;
+ unsigned int Height;
unsigned int Depth;
unsigned int HorzRes;
unsigned int VertRes;
@@ -890,7 +905,7 @@ static Image *ReadWPGImage(const ImageIn
typedef struct
{
unsigned int Width;
- unsigned int Heigth;
+ unsigned int Height;
unsigned char Depth;
unsigned char Compression;
} WPG2BitmapType1;
@@ -903,7 +918,7 @@ static Image *ReadWPGImage(const ImageIn
unsigned int UpRightX;
unsigned int UpRightY;
unsigned int Width;
- unsigned int Heigth;
+ unsigned int Height;
unsigned int Depth;
unsigned int HorzRes;
unsigned int VertRes;
@@ -1006,6 +1021,8 @@ static Image *ReadWPGImage(const ImageIn
image->colors = 0;
bpp=0;
BitmapHeader2.RotAngle=0;
+ Rec2.RecordLength = 0;
+ Rec.RecordLength = 0;
switch(Header.FileType)
{
@@ -1031,8 +1048,8 @@ static Image *ReadWPGImage(const ImageIn
{
case 0x0B: /* bitmap type 1 */
BitmapHeader1.Width=ReadBlobLSBShort(image);
- BitmapHeader1.Heigth=ReadBlobLSBShort(image);
- if ((BitmapHeader1.Width == 0) || (BitmapHeader1.Heigth == 0))
+ BitmapHeader1.Height=ReadBlobLSBShort(image);
+ if ((BitmapHeader1.Width == 0) || (BitmapHeader1.Height == 0))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
BitmapHeader1.Depth=ReadBlobLSBShort(image);
BitmapHeader1.HorzRes=ReadBlobLSBShort(image);
@@ -1045,14 +1062,22 @@ static Image *ReadWPGImage(const ImageIn
image->y_resolution=BitmapHeader1.VertRes/470.0;
}
image->columns=BitmapHeader1.Width;
- image->rows=BitmapHeader1.Heigth;
+ image->rows=BitmapHeader1.Height;
bpp=BitmapHeader1.Depth;
+ if (bpp > 24)
+ ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
goto UnpackRaster;
case 0x0E: /*Color palette */
WPG_Palette.StartIndex=ReadBlobLSBShort(image);
WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
+ if (WPG_Palette.NumOfEntries == 0)
+ ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
+
+ if (WPG_Palette.NumOfEntries > MaxMap+1)
+ ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
+
if ((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) >
(Rec2.RecordLength-2-2) / 3)
ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
@@ -1087,8 +1112,8 @@ static Image *ReadWPGImage(const ImageIn
BitmapHeader2.UpRightX=ReadBlobLSBShort(image);
BitmapHeader2.UpRightY=ReadBlobLSBShort(image);
BitmapHeader2.Width=ReadBlobLSBShort(image);
- BitmapHeader2.Heigth=ReadBlobLSBShort(image);
- if ((BitmapHeader2.Width == 0) || (BitmapHeader2.Heigth == 0))
+ BitmapHeader2.Height=ReadBlobLSBShort(image);
+ if ((BitmapHeader2.Width == 0) || (BitmapHeader2.Height == 0))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
BitmapHeader2.Depth=ReadBlobLSBShort(image);
BitmapHeader2.HorzRes=ReadBlobLSBShort(image);
@@ -1107,14 +1132,16 @@ static Image *ReadWPGImage(const ImageIn
image->y_resolution=BitmapHeader2.VertRes/470.0;
}
image->columns=BitmapHeader2.Width;
- image->rows=BitmapHeader2.Heigth;
+ image->rows=BitmapHeader2.Height;
bpp=BitmapHeader2.Depth;
+ if (bpp > 24)
+ ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
UnpackRaster:
status=SetImageExtent(image,image->columns,image->rows);
if (status == MagickFalse)
break;
- if ((image->colors == 0) && (bpp <= 16))
+ if ((image->storage_class != PseudoClass) && (bpp != 24))
{
image->colors=one << bpp;
if (!AcquireImageColormap(image,image->colors))
@@ -1188,8 +1215,7 @@ static Image *ReadWPGImage(const ImageIn
ReplaceImageInList(&image,flip_image);
}
}
-
- /* rotate command */
+ /* rotate command */
if(BitmapHeader2.RotAngle & 0x0FFF)
{
Image
@@ -1256,6 +1282,19 @@ static Image *ReadWPGImage(const ImageIn
case 0x0C: /* Color palette */
WPG_Palette.StartIndex=ReadBlobLSBShort(image);
WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
+ /* Sanity check for amount of palette entries. */
+ if (WPG_Palette.NumOfEntries == 0)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+
+ if (WPG_Palette.NumOfEntries > MaxMap+1)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+
+ if ( (WPG_Palette.StartIndex > WPG_Palette.NumOfEntries) ||
+ (((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) >
+ ((Rec2.RecordLength-2-2) / 3))) )
+ ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
+
+
if ((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) >
(Rec2.RecordLength-2-2) / 3)
ThrowReaderException(CorruptImageError,"InvalidColormapIndex");
@@ -1277,8 +1316,8 @@ static Image *ReadWPGImage(const ImageIn
break;
case 0x0E:
Bitmap2Header1.Width=ReadBlobLSBShort(image);
- Bitmap2Header1.Heigth=ReadBlobLSBShort(image);
- if ((Bitmap2Header1.Width == 0) || (Bitmap2Header1.Heigth == 0))
+ Bitmap2Header1.Height=ReadBlobLSBShort(image);
+ if ((Bitmap2Header1.Width == 0) || (Bitmap2Header1.Height == 0))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
Bitmap2Header1.Depth=ReadBlobByte(image);
Bitmap2Header1.Compression=ReadBlobByte(image);
@@ -1306,13 +1345,11 @@ static Image *ReadWPGImage(const ImageIn
continue; /*Ignore raster with unknown depth*/
}
image->columns=Bitmap2Header1.Width;
- image->rows=Bitmap2Header1.Heigth;
-
+ image->rows=Bitmap2Header1.Height;
status=SetImageExtent(image,image->columns,image->rows);
if (status == MagickFalse)
break;
-
- if ((image->storage_class != PseudoClass) && (bpp != 24))
+ if ((image->colors == 0) && (bpp != 24))
{
size_t
one;
@@ -1342,14 +1379,19 @@ static Image *ReadWPGImage(const ImageIn
if (BImgBuff == (unsigned char *) NULL)
goto NoMemory;
- for(i=0; i< (ssize_t) image->rows; i++)
- {
- (void) ReadBlob(image,ldblk,BImgBuff);
- InsertRow(BImgBuff,i,image,bpp);
- }
+ for (i=0; i< (ssize_t) image->rows; i++)
+ {
+ (void) ReadBlob(image,ldblk,BImgBuff);
+ if (InsertRow(BImgBuff,i,image,bpp) == MagickFalse)
+ {
+ if(BImgBuff)
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
+ goto DecompressionFailed;
+ }
+ }
if(BImgBuff)
- BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);;
+ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);
break;
}
case 1: /*RLE for WPG2 */
